SystemBC RAT Poses New Risks to Linux System

Threat Group: Various Cybercriminal Groups
Threat Type: Remote Access Trojan (RAT) and Proxy Malware
Exploited Vulnerabilities: No specific vulnerabilities exploited; relies on various propagation methods
Malware Used: SystemBC (also known as Coroxy or DroxiDat)
Threat Score: High (8.5/10) – Due to its cross-platform targeting capabilities, advanced evasion techniques, and association with ransomware deployments.
Last Threat Observation: 12 February 2025
Overview
SystemBC has transitioned from a Windows-only threat to a cross-platform menace by developing a variant that targets Linux systems. This evolution increases the malware's potential impact, as Linux servers are integral to many enterprise operations. The latest version employs encrypted communication channels to evade detection, enhancing its stealth and persistence within compromised networks.
Key Details
- Delivery Method: SystemBC is distributed through various methods, including phishing emails, drive-by downloads, and exploitation of network vulnerabilities.
- Target: The malware targets both Windows and Linux systems, with a recent focus on Linux-based platforms.
- Functions:
- Proxy Server Functionality: Establishes a SOCKS5 proxy on infected machines, enabling attackers to route their traffic through the compromised device and mask their origin.
- Remote Access and Control: Grants attackers remote access to the infected system, allowing them to execute commands, manipulate files, and steal sensitive data.
- Malware Delivery: Capable of downloading and executing additional malicious payloads, such as ransomware and infostealers.
- Persistence: Employs various techniques to maintain persistence on the infected system, including scheduled tasks and registry modifications.
- Evasion: Utilizes encryption and obfuscation techniques to evade detection by security software.
Attack Vectors
SystemBC operates by establishing encrypted communication channels with its command-and-control (C2) servers, often utilizing the Tor network to anonymize traffic. This approach conceals the destination of C2 traffic, making detection challenging. The malware's proxy functionality facilitates lateral movement within compromised networks without deploying additional, easily detectable tools.
Known Indicators of Compromise (IoCs)
File Hashes (S
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
IP Addresses (C2 Servers)
193[.]106[.]191[.]168
188[.]127[.]224[.]46
45[.]10[.]42[.]221
193[.]106[.]191[.]184
193[.]106[.]191[.]185
185[.]215[.]113[.]105
188[.]214[.]12[.]93
139[.]144[.]79[.]152
45[.]66[.]248[.]209
89[.]22[.]225[.]242
195[.]62[.]53[.]253
20[.]115[.]47[.]118
92[.]53[.]90[.]84
152[.]89[.]198[.]73
194[.]36[.]177[.]46
162[.]33[.]179[.]100
Other Network Connections
- Domain:
halagifts[.]com
- IP Address:
217[.]15[.]175[.]191
Mitigation and Prevention
- User Awareness: Educate users about phishing attacks, suspicious links, and the importance of downloading software from trusted sources.
- Email Filtering: Implement advanced email filtering solutions to block phishing emails and malicious attachments.
- Antivirus Protection: Deploy reputable antivirus software with real-time protection to detect and prevent SystemBC infections.
- Two-Factor Authentication (2FA): Enable 2FA for all accounts to add an extra layer of security.
- Monitor Logs: Regularly monitor system and network logs for unusual activity that could indicate a SystemBC infection.
- Regular Updates: Keep operating systems, applications, and security software up to date to patch vulnerabilities that could be exploited by SystemBC.
- Network Segmentation: Isolate critical systems and networks to limit the impact of a potential breach.
- Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to malicious activity on endpoints.
- Security Information and Event Management (SIEM): Utilize SIEM tools to monitor network traffic and identify anomalous behavior.
- Regular Security Audits and Penetration Testing: Conduct regular security assessments to identify vulnerabilities and weaknesses.
Risk Assessment
SystemBC's expansion to Linux platforms significantly increases its threat level, given the widespread use of Linux in enterprise environments. Its capabilities for encrypted communication, proxy functionality, and delivery of additional malware payloads, including ransomware, pose substantial risks to organizations. The malware's evasion techniques and persistence mechanisms further complicate detection and removal efforts.
The risk level varies based on an organization's industry, geographic location, and data sensitivity. Financial institutions, healthcare organizations, and critical infrastructure operators should be particularly vigilant.
Technical Details
- Persistence Mechanisms: Scheduled tasks, registry modifications, and system service manipulation.
- Communication Protocols: Uses SOCKS5 proxy, Tor network, and dynamically assigned TCP ports.
- Encryption Techniques: Utilizes SSL/TLS encryption to secure communications with C2 servers.
Conclusion
SystemBC's evolution into a cross-platform threat underscores the need for comprehensive security measures that address both Windows and Linux systems. Organizations should implement a multi-layered defense strategy, combining user education, robust security software, and vigilant network monitoring to detect and mitigate SystemBC infections promptly. Regular updates and adherence to security best practices are essential to minimize the risk posed by this persistent threat.
Sources
- HackRead - SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers
- Kroll - Inside the SystemBC Command-and-Control Server
- Sophos - Sophos Reports On How SystemBC Has Developed Into An Off-The-Shelf Tor Backdoor Used By Ransomware Operators
- Bitsight - SystemBC: The Multipurpose Proxy Bot Still Breathes